Microsoft Details Security Features of New Windows 8 OS

Microsoft's Windows 8 security measures include secure boot. As demonstrated at BUILD, this means compromised systems can refuse to boot.

Microsoft is detailing some of its security procedures for Windows 8.

Key to Windows 8's platform integrity architecture is its UEFI (Unified Extensible Firmware Interface), a set of specifications for how the operating system communicates with platform firmware during the boot-up process. UEFI features a firmware validation process known as secure boot, which dictates how that firmware manages security certificates, firmware validation, and the like.

"Microsoft's platform integrity architecture creates a root of trust with platform firmware using UEFI secure boot and certificates stored in firmware," Tony Mangefeste, a member of the Windows Ecosystem team, wrote in a Sept. 22 posting on the Building Windows 8 blog. "With Windows 8's secured boot architecture and its establishment of a root of trust, the customer is protected from malicious code executing in the boot path by ensuring that only signed, certified known good code and boot loaders can execute before the operating system itself loads."

In theory, UEFI secure boot will allow machines running Windows 8 to sidestep a current vulnerability in many PCs, namely that the pre-operating system environment is vulnerable to malicious loaders redirecting the boot loader handoff.

"For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default," Mangefeste added. Windows Certification will also ensure that firmware not allow programmatic control of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity.

During the BUILD conference earlier in September, Windows and Windows Live division President Steven Sinofsky demonstrated Windows 8's security measures by having a fellow executive plug a USB with a rootkit virus into the port of a tablet running the operating system. The device failed to boot up and compromise the system.